Knowing the difference between a legitimate e-mail and a scammed phishing
e-mail is not always as easy as one would think.

According to data from e-mail security firm MailFrontier, only 4 percent of users can spot a phished e-mail 100 percent of the time.
That's a very sobering thought as the holiday season is upon us and Americans
flock online for their shopping needs.

MailFrontier's data comes from its Phishing IQ Test, which is comprised of 10 examples of e-mails and users must choose whether they think the mail is legitimate, a fraud or if they have no answer.

The example e-mails are from Chase, PayPal, Bank of America, Washington Mutual, MSN, EarthLink and Amazon.

The average score in 2005, according to MailFrontier, is 75 percent, which
is up from 61 percent in 2004.

Andrew Klein, manager with the MailFrontier Threat Center, noted that improvement in test takers' ability to spot a phishing attempt occurred over time.

"We believe this is the result of people becoming more aware of phishing
in general," Klein told internetnews.com. "They got more suspicious."

One of the surprising results of the survey, according to Klein, is that
younger people (18-24) are more likely than older people (55+) to be fooled
by a phishing attack.

MailFrontier said there are five main myths surrounding phishing.

The first myth is that users can actually detect a phishing attack. Though they are getting better at identifying phishing attacks, Klein argues that there is still a good chance someone will consider a phishing e-mail to actually be legitimate.

The second myth is that spam filters can detect and stop phishing attacks.

"By now most people agree that spam and phishing e-mail are different,
with phishing e-mail designed to look like legitimate transactional e-mail a
user would expect to receive," Klein noted. "To catch a phish, a different
set of evaluation criteria is required to help distinguish the legitimate
from the phishing e-mail."

Domain authentication as a vehicle to stop phishing e-mail is the third
phishing myth. Klein argues that spammers, as well as phishers, have already
shown they can publish authentication records for the domains they obtain.

The fourth myth is that detecting URL exploits can stop phishing attacks.

"URL exploits are a good indicator that something is amiss, but by itself
they cannot be proof positive," Klein explained. "Legitimate companies use
techniques like URL redirection, long URLs (which run beyond the end of the
status bar) and even raw IP addresses in their legitimate e-mail."

"Phishers understand the legitimate uses and take advantage of them."

Lastly and perhaps most importantly is the myth that users don't need to
do anything to protect themselves and their companies from phishing e-mail.

Doing nothing can lead to the loss of personal, financial and even
corporate information. MailFrontier forecast that phishing e-mail will be up by 25 percent from 750 million last year to 1 billion this year.

Will this criminal deluge continue unabated, or is there a way to beat
phishing? Klein asserts that it can't be beaten but it can be made
economically unattractive.

"Spam has not quite disappeared yet. Neither have viruses. So I don't
think phishing will, either," Klein said. "The idea is to raise the
technological, awareness, and economic hurdles so high that the phishers
move on to the next exploitation."